FQDN and a nightmare :S

wedge1988

Hi All,

A little help on this would be appreciated

Im confused with this, as its the first time ive had to actually implement it. Basically, i will be needing to set up an extranet environment. so would this setup be appropriate:

Extranet FQDN: mycorp.com
Intranet / Local domain FQDN: mycorp.local

or am i losing the plot? the Internal domain needs full access to the external domain for exchange and sharepoint server etc.

or is this correct:

Extranet FQDN: mycorp.com
Intranet / Local domain FQDN: local.mycorp.com

i have a feeling its this, but i just want a confirmation, i have no way of setting up a test environment to the internet

thanks!

Pash

Be careful on understanding what a FQDN is and your TLD (top level domain) is when working on your solution. The FQDN is the absolute domain name of any host on your network literally, interally hostexample.mycorp.local might be a host on your network. Or you may have child domains in place like hostexample.eu.mycorp.local.

Obviously local is not a recognised public TLD and therefore it is the most commonly used TLD for Active Directory installations.

local.mycorp.com would just be a sub-domain of mycorp.com (your second level domain)

How DNS Works: Domain Name System(DNS)

wedge1988

I think i may need to explain a bit better;

I wasnt referring to hosts, local.mycorp.com was a sub domain of mycorp.com ie server.local.mycorp.com.

what i need to know is; if i set up the domain name of mycorp.com on my perimeter network, and then set up the domain name of mycorp.local on the coporate network then will both domains be able to contact each other properly.

You see, each domain will have its own active directory. I have this setup now, each with a different domain name and i CANNOT get exchange to work properly.

So, im assuming that if i used mycorp.com on the extranet (Perimeter network) then used internal.mycorp.com on the corporate network (Intranet) i would be able to correctly resolve the network information.

help!?

RobertKaucher

They will be able to contact each other just fine. You need to allow them to interact by creating trusts between the two forests.

You said you are creating an extranet… What exactly are you trying to accomplish? You are obviously trying to work with Exchange, but to what end? Are you allowing external partners or individuals access to the Exchange server or are you doing something else? It’s hard to say what you need to do without knowing what you are really trying to accomplish…

Pash’s point was that MyCorp.com is not an FQDN and was cautioning you on your usage/understanding of the term. A “Fully Qualified Domain Name” always starts with the host name and ends in the top-level domain name. www. MyCorp. com is an example. www is usually an alias for a web server or a cluster on the network. Local.MyCorp.com is not a FQDN, it’s just a third level domain name.

wedge1988

Point taken. Ive been really busy today ...

anyways. Basically, with exchange, i want to allow external users to get their mail, then it needs to update their inbox on the main network as well as the extranet.

also, (im setting up sharepoint server) which i need people to have access to it externally with access as though they would be on the local network. I did have a brain strom today and thought about using a Read only domain controller.

For the sharepoint server, i essentially need users to access it externally. I want the internal network to be separated from the permiter network, but i need the extranet to use the same sql server (Because i want the same sharepoint sites to be available on either domain)

If i set up a WFE on the extranet and the sharepoint server on the intranet, set up a one way trust and use 2 separate domains (extranet being public and intranet being .local the i presume this is highly secure with a firewall in between etc.

any ideas? help!

wedge1988

anybody?

dynamik

What version of Exchange are you using? Why do you need to have separate domains? How large scale is this project?

blargoe

I don't understand why the separate domain. If the people on the outside of the network already have mailboxes inside the network and they have to have the same data, why aren't you just publishing them using OWA or Outlook anywhere externally?

All you're looking to do is to make your internal email and sharepoint accessible from outside the network? That's what I'm seeing... please correct me if I'm wrong though. There are much easier ways to do it.

RobertKaucher

Blargoe has a very good point there.

As far as SharePoint goes, setting up an extranet can be a royal PitA and I was suspicious you might be doing something like this with SharePoint. My next question is this: are the users who access these services (SharePoint and Exchange) actually external users? Are they partners, customers and/or vendors from other companies to whom you want to grant access to these services for whatever reason?

If your answer is "no" to the above question you are over thinking the issue and can simply publish these sites using SSL and NAT on your firewall. I HIGHLY recommend ISA Server 2006 for this.

wedge1988

Hi All,

Thanks for your replies, i see that your all getting my point now.

Ill get a map together for you as soon as i can on the network design.

I actually work in a school, which have requested me to allow students, staff, parents and governors access to the sharepoint site.

Students need to be able to return assigned work (With the SLK) and staff & Governors need to be able to upload documents and assign work. Parents only need to read.

I have ISA server 2006, which i will be using to separate the internal network from the external. Also have a linux firewall in front of the extranet.

Im really only posting because i have never done this before, and its the first time i have tried anything as such.

When you say you can simply publish the sharepoint sites with SSL & NAT, what your saying really is this?:

Create the extranet
Open the ports required for the internet
open the ports required to contact the backend database
install sharepoint on the extranet as a web server only
enable SSL for encryption
enable NAT for seamless data transfer & security
create a 1way trust where the perimiter network trusts the internal domain.

I really need some guidelines.
I have been going through the microsoft documentation and it seems that im looking for the Split back to back topology: Design extranet farm topology (Office SharePoint Server)

Hope you can help me; i will be setting up a test environment first, so i can go through it with you if needs be.


--addition edit.

What version of Exchange are you using? Why do you need to have separate domains? How large scale is this project?

Exchange 2007 STD, No reason for separate domains, security?, Hopefully not over complicated!!!

I don't understand why the separate domain. If the people on the outside of the network already have mailboxes inside the network and they have to have the same data, why aren't you just publishing them using OWA or Outlook anywhere externally?

All you're looking to do is to make your internal email and sharepoint accessible from outside the network? That's what I'm seeing... please correct me if I'm wrong though. There are much easier ways to do it.

Again, ive never done this before so i wouldnt really know the topology. So what your saying is: Create a WFE for exchange, install IIS and the OWA files and open the ports for the back end exchange server so it can access the mailboxes?

-> again a bit of advice on the design would be appreciated!

Cheers!

RobertKaucher

I don't feel comfortable giving you advice on Exchange Server as that is an area I am weak in. But I am sure that this can be taken care of without the creation of a second domain/extranet.

Let’s imagine that the domain name for your school is MySchool.edu and the Active Directory domain was MySchool.local. MySchool.edu is used for the school’s web site. Perhaps it is even hosted by a third party.

I am assuming that every person who will be accessing these services has an active directory account in the MySchool.local domain. I set up my Exchange Servers and my SharePoint servers. Everyone can access them internally using their web browsers. So OWA is going and my web frontend SharePoint server is working.

Now on my DNS entries for my Internet domain I am going to create DNS entries for portal.MySchool.edu and owa.MySchool.edu (or maybe mail.myschool.edu whatever is easiest for you and your users). These DNS entries will point to a public IP address at my facility. If I am using ISA server I will create a publishing rule that says “if you receive a request for portal.MySchool.edu please use port forwarding to contact sharepoint.MySchool.local on 443.” I will then create another rule that says “if you receive a request for owa.MySchool.edu, please use port forwarding to access exchange07.MySchool.local.” Now if I am not using ISA or some sort of firewall that uses this sort of port forwarding I will need to make a NAT rule and assign owa.myschool.edu and portal.myschool.edu their own public IPs.

When the users go to https://portal.myschool.edu/ they will be presented with a login box. They will need to login with their domain credentials:

MySchool\Ima.User
P@$$w0rd1

And boom, Ima User will have access to the SharePoint site. Assuming you have good password policies and the correct security permissions in place in your internal AD domain, there is no real need for a second domain or any extranet.

dynamik

Yea, I don't see the need for a separate domain. I would however add an Edge Transport server for Exchange. Have you though about setting up a third network with ISA for a DMZ?

wedge1988

@ Robert coucher, that's exactly what I thought of originally. Surely that way of setting up the extranet is a security risk? Your essentially authorizing users access to your network and what if they exploit the accounts?

@ dynamik

I havnt considered a 3rd network, but that seems overly complicated. I will be using an edge transport server!

I did a drawing today which I will scan in tomorrow for you. At the moment I'm more concerned with the security side. If you ask anybody at a school, that's the first thing that they will say to you!

If you have any more suggestions I'm all ears!

dynamik

Hm? A DMZ is common practice and is much less complicated than setting up another domain. Essentially, you'd just allow ports 25, 80, and/or 443 in from your ISA server to specific machines in your DMZ, and then you'd allow any ports, if necessary (say for ADAM), in from your Edge Transport server to your internal network (or just to the necessary machine).

You were planning on creating a separate domain that would coexist on your internal network and be connected via a trust?

The cool thing about ISA is that you can require users to authenticate to that first. That way, anonymous users won't be able to directly attack your Exchange, Sharepoint, etc. servers.

wedge1988

Right, so what your saying is the DMZ should not be a domain because of security reasons? And that DNS should be manually updated.

This makes sense.

I didnt know that about ISA, thats a neat feature. What about kerberos, im going to use that, so im sure that should increase security also.

I see what you mean by the domains now. The best solution would be to have the internal domain, then extranet, then DMZ. I get it now.

I get the fact i must open the ports (only those required between each subnet) But what sort of security risks are there. I have the feeling that people can ride on the traffic? I hope im wrong. If this isnt the case then you've confirmed what i always thought, and thanks for all of your help

(All of you!)

RobertKaucher

Dynamik is perfectly correct. I was trying to get the idea accross that a second domain was not needed. A DMZ would be ideal and really required, in my opinion.

Wedge1988,
Exploiting your user accounts is always a worry. Even if you created another domain with a trust this would still be an issue. If the accounts in the second domain can access resources in the first what does it matter howmany domains you have? This is a really complicated topic and I don't want you to think that we can give you the advice it seems you need in a forum post. We can point you in the right dirrection, but for more than that you really need more...

Here are examples of setting up a DMZ (3 legged network) with ISA.
How to use the ISA Server 2006 Network Templates
Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology | Linglom's Blog

The only real reason for setting up another domain and a true extranet is if you are allowing EXTERNAL partners and vendors to access resources on your network. This way you are not creating accounts for your vendors or partners on you domain. If you are just allowing INTERNAL users to access resources from outside the network you are not setting up an extranet and you really do not need another domain.

wedge1988

Yes, i get it all now. Thanks for all of your help, i appreciate it. I hope others appreciate mine, as its the law of equivelant exchange!

lol. Again, thanks all. Ill let you know how i get on later in the year, if youd like to know!

dynamik

I'm still not clear on the size of this project. You could make a separate DMZ domain for management purposes, but if you're only going to have a couple of machines, such as an Edge Transport and a web server, it doesn't make sense to throw in an extra DC or two for a new domain. You could also configure your DMZ as a separate AD site and have things like your Sharepoint Server and Hub Transport (since you may not want Activesync and/or OWA going to your internal network) servers be domain members. Then you'd only allow the necessary ports in from the internet to the DMZ and only allow those machines to use what they need for authentication or anything else to get to the internal network.

There's not a single right way to go about this, and you're never going to be 100% secure. All you can do is lock things down as much as possible given the functionality you require.

RobertKaucher

wedge1988 wrote: »

I get the fact i must open the ports (only those required between each subnet) But what sort of security risks are there. I have the feeling that people can ride on the traffic? I hope im wrong. If this isnt the case then you've confirmed what i always thought, and thanks for all of your help

(All of you!)

It's a ballancing act. If you do not open the ports, users cannot access the things they need. If you do open the ports, there is a risk on an exploit or attack. If you do not get in the car, you cannot go to work. If you get in the car, you could be in an accident.

All I can say is that if you set things up in a reasonable way you will not be taking any more risks than the majority of companies in the US today. People get hacked.... It's a reality. But most don't or nobody would have a web presence or do e-commerce.

Explain "ride on the traffic..."

RobertKaucher

dynamik wrote: »

I'm still not clear on the size of this project. You could make a separate DMZ domain for management purposes, but if you're only going to have a couple of machines, such as an Edge Transport and a web server, it doesn't make sense to throw in an extra DC or two for a new domain. You could also configure your DMZ as a separate AD site and have things like your Sharepoint Server and Hub Transport (since you may not want Activesync and/or OWA going to your internal network) servers be domain members. Then you'd only allow the necessary ports in from the internet to the DMZ and only allow those machines to use what they need for authentication or anything else to get to the internal network.

And hire an extra admin to manage the user accounts on the new domain... LOL

wedge1988

Dont worry about the domain scenario dynamik, thats what i was on about earlier. More than likely ill create a small domain just to handle the Domain address.

Its nice to know thats how it works though, ive always worried that id do it wrong, but its just as i thought!

So, what your saying is that if i design a way of 100% securing this sort of thing, ill be a millionnaire? Ill get to work on it.

... After i sort this network out first

dynamik

wedge1988 wrote: »

So, what your saying is that if i design a way of 100% securing this sort of thing, ill be a millionnaire? Ill get to work on it.

Unfortunately, that would probably involve executing your users. They're one of, if not the most, significant threat to your organization's security. Many organizations will put powerful, state-of-the-art defenses up around the perimeter, but they will totally neglect the inside, only to have some user do something like setup a personal WAP that allows anyone to circumvent all their defenses

wedge1988

LOL. Major irony.

only to have some user do something like setup a personal WAP that allows anyone to circumvent all their defenses

This happened to an admin at another school. This is why my internal network is so secure theyd need physical access to the server to damage it.

Network access protection is a brilliant new feature, i havnt had time to put it in yet though